SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SIP/SMTP Static NAT across site to site VPN/SRX-340 >> SRX-340

    Posted 01-17-2022 19:54
    Hi,

    I’m having issues with inbound email and inbound SIP calls for remote SRX firewall. Both email and sip work fine on local SRX firewall. Exchange 2010 and Skype for Business 2010 are the apps being used.

    My current setup:

    1) I have sip alg enabled on both SRX-340 firewalls.
    2) 4 zones (trust, dmz, untrust and vpn), untrust used for static NAT and VPN zone used for passing traffic
    3) static NAT is coming from untrust zone and vpn zone interfaces and host prefix IP is in dmz zone (this is Skype edge server)
    4) proxy arp has been used from untrust interface to map untrust interface IPs
    5) security policies have been used from untrust to trust zones using global address IPs
    6) all routing is in 1 routing instance on both firewalls

    Once I can get to a computer I will give more details on configs etc..

    Can anyone shed any light on these issues? I’m migrating these firewalls from SSG-140s and I have the configs handy if needed (of course I’ll have to leave IPs off the public Internet due to security reasons).

    Thanks,

    Derek Hill

    Sent from my iPhone


  • 2.  RE: SIP/SMTP Static NAT across site to site VPN/SRX-340 >> SRX-340

     
    Posted 01-18-2022 05:48
    In general when converting a ScreenOS configuration to SRX

    MIP becomes static nat
    DIP becomes destination or source nat

    The rest of the rules about zone matching via routing and policy order are all the same as with the SSG models.

    When testing this command will let you see what nat is actually occurring in the flow records.
    show security flow session 
    optional adding restrictions for source or destination address 
    show security flow session source-prefix
    show security flow session  destination-prefix

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------